Mitsubishi Electric MELSEC iQ-R Series

Monitor7.4ICS-CERT ICSA-21-250-01Sep 7, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

MELSEC iQ-R Safety CPUs and SIL2 Process CPUs contain vulnerabilities (CWE-200 exposure of sensitive data, CWE-522 insufficiently protected credentials, CWE-645 overly restrictive allowlist) that allow a remote attacker on the network to extract legitimate user credentials or gain unauthorized access without authentication. Successful exploitation could grant an attacker the ability to modify safety-critical logic, alter control system behavior, or deny access to legitimate operators. The vulnerabilities affect firmware version 26 or earlier on Safety CPUs and version 11 or earlier on SIL2 Process CPUs. All versions of these products are vulnerable.

What this means

What could happen

An attacker with network access could extract legitimate user credentials from the Safety CPU or SIL2 Process CPU, potentially gaining unauthorized access to modify safety-critical logic or lock out legitimate operators from the control system.

Who's at risk

Energy sector organizations operating Mitsubishi Electric MELSEC iQ-R Safety CPUs (R08/R16/R32/R120SFCPU) or SIL2 Process CPUs (R08/R16/R32/R120PSFCPU) in water treatment plants, electric substations, or other critical infrastructure should be concerned. These are safety-critical controllers used to manage emergency shutdowns, interlocks, and hazard prevention logic.

How it could be exploited

An attacker on the network sends a request to the Ethernet port of a MELSEC iQ-R Safety CPU or SIL2 Process CPU. The device responds with credential information or allows unauthorized access without proper authentication. The attacker can then use extracted credentials to log in and modify the safety logic, setpoints, or deny access to legitimate users.

Prerequisites

Network connectivity to the Ethernet port of the MELSEC iQ-R CPU (port unspecified in advisory)
No valid credentials required to extract user information
Device must be running vulnerable firmware version 26 or earlier (Safety CPU) or version 11 or earlier (SIL2 Process CPU)

remotely exploitableaffects safety systemsno patch availableno authentication required for credential extraction

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (16)

16 EOL

ProductAffected VersionsFix Status

MELSEC iQ-R series Safety CPU R16SFCPU Firmware: <=26≤ 26No fix (EOL)

MELSEC iQ-R series Safety CPU R16SFCPU: vers:all/*All versionsNo fix (EOL)

MELSEC iQ-R series Safety CPU R32SFCPU Firmware: <=26≤ 26No fix (EOL)

MELSEC iQ-R series Safety CPU R32SFCPU: vers:all/*All versionsNo fix (EOL)

MELSEC iQ-R series Safety CPU R120SFCPU Firmware: <=26≤ 26No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

WORKAROUNDImplement network firewall rules to block all inbound access to MELSEC iQ-R Ethernet ports from untrusted networks and hosts

WORKAROUNDDeploy a VPN requirement for any remote access to the control network containing MELSEC iQ-R devices

WORKAROUNDEnable and configure the IP filter function on each MELSEC iQ-R CPU to restrict access to known, authorized engineering workstations only

WORKAROUNDReset all user passwords via USB connection rather than over the network to prevent credential exposure during password entry

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: MELSEC iQ-R series Safety CPU R16SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R16SFCPU: vers:all/*, MELSEC iQ-R series Safety CPU R32SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R32SFCPU: vers:all/*, MELSEC iQ-R series Safety CPU R120SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R120SFCPU: vers:all/*, MELSEC iQ-R series SIL2 Process CPU R08PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R16PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R16PSFCPU: vers:all/*, MELSEC iQ-R series SIL2 Process CPU R32PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R32PSFCPU: vers:all/*, MELSEC iQ-R series SIL2 Process CPU R120PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R120PSFCPU: vers:all/*, MELSEC iQ-R series SIL2 Process CPU R08PSFCPU: vers:all/*, MELSEC iQ-R series Safety CPU R08SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R08SFCPU: vers:all/*. Apply the following compensating controls:

HARDENINGSegment MELSEC iQ-R devices into an isolated LAN with restricted inbound connectivity from untrusted sources

HARDENINGMonitor network traffic to the MELSEC iQ-R Ethernet ports for suspicious login attempts or unauthorized access patterns

CVEs (3)

CVE-2021-20594 CVE-2021-20597 CVE-2021-20598

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9e5ca5b1-034d-4d68-aaa6-879d1965da1d